Fortigate
    • PDF

    Fortigate

    • PDF

    Article summary

    To configure your Fortigate firewall and integrate it with the Glasswall Halo ICAP server, please follow this configuration guide.

    Note: these steps are documented as per Fortigate v7.4.

    Configure Interfaces and Routes

    Configure Static IP to Inside Interface

    Two Network Interfaces are attached to the VM:

    • Management Interface - this is the primary network interface attached to the VM when it is created. By default the static private IP address of the Interface is registered in the firewall.
    • Inside Interface - this is an extra Interface attached to VM after it is created. By default no IP address might be shown to this Interface in the firewall.

    To configure the static IP to the Inside Interface in the firewall:

    1. Login to the Management Portal and navigate to Network -> Interfaces.
    2. Select and edit the Inside Interface.
    3. Enter the IP/Netmask and click OK.

    Create a Static Route

    A static route is needed in the firewall so that traffic from all ports will go to the internet via a given Gateway IP address and Interface
    To create a static route:

    1. Navigate to Network -> Static Routes and create a new route.
    2. Select Subnet as the Destination and enter 0.0.0.0/0.0.0.0.
    3. Enter the Subnet's gateway IP address under Gateway Address. Typically the first number of the subnet is the gateway. e.g. 192.168.xx.1.
    4. Select the Interface that should be used to reach the gateway IP address and click OK.

    Configure ICAP

    By default the ICAP feature in the Fortigate firewall is disabled and needs to be enabled.

    1. Login to the Management Portal and navigate to System -> Feature Visibility and enable ICAP under Additional Feature.
    2. Create an ICAP server by navigating to Security Profiles -> ICAP Servers and create a new server.
    3. Enter the name, IP address and port(default 1344) of the ICAP server, and click OK.

    image.png

    Create ICAP profile

    1. Navigate to Security Profiles -> ICAP and create a new profile.
    2. Enter a name for the profile.
    3. Enable Request processing if you want to process files sent in the requests.
    4. Select the Server created in the previous step from the drop-down.
    5. Under Path enter req-cdr-service. Optionally pass an ICAP profile e.g. req-cdr-service?profile=test-profile1.
    6. Select one of the options when ICAP fails to process the files - Error or Bypass.
    7. Enable Response processing if you want to process the files being received in the response.
    8. Select the Server created in the previous step from the drop-down.
    9. Under Path enter resp-cdr-service. Optionally pass an ICAP profile e.g. `resp-cdr-service?profile=test-profile1.
    10. Select one of the options when ICAP fails to process the files - Error or Bypass.
    11. Enable Streaming media bypass.

    image.png

    Create or update Firewall policy

    1. Navigate to Policy & Objects -> Firewall Policy and create or edit a Firewall policy to enable ICAP integration.
    2. For Inspection mode, select the Proxy-based option.
    3. From the SSL inspection drop-down, select deep-inspection or custom-deep-inspection.
    4. Enable the ICAP option and select the ICAP profile created in the previous step.
    5. Click OK.

    image.png

    Download CA certificate

    As we have now enabled the SSL Inspection in the firewall, we need to download the CA certificate and import it in the user's machine or browsers. This ensures that users won't see SSL errors while accessing internet.

    1. Navigate to Security Profiles -> SSL/SSH Inspection and select the profile used in the Firewall policy.
    2. Click Download beside CA certificate.
    3. Copy it to user's machines and add it to the trusted list under CA certificates.

    image.png

    Exempt websites from SSL Inspection

    We need the ability to exempt certain websites from SSL inspection for various reasons, such as compatibility issues that arise when SSL inspection is enabled. By default, specific addresses are already exempted from SSL inspection.

    1. Navigate toSecurity Profiles -> SSL/SSH Inspection.
    2. Select Log SSL exemptions so the firewall will log any such exemptions.
    3. If required, add specific web categories in this section to exempt from SSL Inspection.

    image.png


    Was this article helpful?

    What's Next